An attacker is able to view the list of followers for any Facebook page by browsing the list through mobile version (m.facebook.com) , (mbasic.facebook.com ) .
Leaking the list of followers for any Facebook page.
Create any Facebook page and browse it using the mobile version m.facebook.com
trying to open each tab and notice the following url (banned users) :
people who liked this page: https://m.facebook.com/browse/fans/?id=your_page_id
So I tried to change my page id to a victim page id ( page I don't have role in it ) and unfortunately a message appears " you don't have permission to view this list
But wait! what about " Followers " tab?
it's not appeared on the UI as we mentioned in the step 3
but if you notice from the step 4 that it's easy to guess the directory name of followers tab!
the first word come to my mind to guess the followers list directory is "followers"
I changed it, then changed the parameter id to any Facebook page id, and finally successfully fetching the followers!